Added additional composition types, bom-ref, and updated docs.

Signed-off-by: Steve Springett <[email protected]>

Author: stevespringett

schema/bom-1.5.proto

@@ -545,18 +545,26 @@ message Property {
 }
 
 enum Aggregate {
-  // Default, no statement about the aggregate completeness is being made
+  // The relationship completeness is not specified.
   AGGREGATE_NOT_SPECIFIED = 0;
-  // The aggregate composition is complete
+  // The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.
   AGGREGATE_COMPLETE = 1;
-  // The aggregate composition is incomplete
+  // The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.
   AGGREGATE_INCOMPLETE = 2;
-  // The aggregate composition is incomplete for first party components, complete for third party components
+  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.
   AGGREGATE_INCOMPLETE_FIRST_PARTY_ONLY = 3;
-  // The aggregate composition is incomplete for third party components, complete for first party components
+  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.
   AGGREGATE_INCOMPLETE_THIRD_PARTY_ONLY = 4;
-  // The aggregate composition completeness is unknown
+  // The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.
   AGGREGATE_UNKNOWN = 5;
+  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
+  AGGREGATE_INCOMPLETE_FIRST_PARTY_PROPRIETARY_ONLY = 6;
+  // The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
+  AGGREGATE_INCOMPLETE_FIRST_PARTY_OPENSOURCE_ONLY = 7;
+  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.
+  AGGREGATE_INCOMPLETE_THIRD_PARTY_PROPRIETARY_ONLY = 8;
+  // The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.
+  AGGREGATE_INCOMPLETE_THIRD_PARTY_OPENSOURCE_ONLY = 9;
 }
 
 message Composition {
@@ -566,6 +574,8 @@ message Composition {
   repeated string assemblies = 2;
   // The dependencies the aggregate completeness applies to
   repeated string dependencies = 3;
+  // An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM.
+  optional string bom_ref = 4;
 }
 
 message EvidenceCopyright {

schema/bom-1.5.schema.json

@@ -1511,10 +1511,15 @@
       ],
       "additionalProperties": false,
       "properties": {
+        "bom-ref": {
+          "$ref": "#/definitions/refType",
+          "title": "BOM Reference",
+          "description": "An optional identifier which can be used to reference the composition elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
+        },
         "aggregate": {
           "$ref": "#/definitions/aggregateType",
           "title": "Aggregate",
-          "description": "Specifies an aggregate type that describe how complete a relationship is."
+          "description": "Specifies an aggregate type that describe how complete a relationship is.\n\n* __complete__ = The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.\n* __incomplete__ = The relationship is incomplete. Additional relationships exist and may include constituent components, services, or dependencies.\n* __incomplete_first_party_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.\n* __incomplete_first_party_proprietary_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_first_party_opensource_only__ = The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __incomplete_third_party_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.\n* __incomplete_third_party_proprietary_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.\n* __incomplete_third_party_opensource_only__ = The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.\n* __unknown__ = The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.\n* __not_specified__ = The relationship completeness is not specified.\n"
         },
         "assemblies": {
           "type": "array",
@@ -1548,7 +1553,11 @@
         "complete",
         "incomplete",
         "incomplete_first_party_only",
+        "incomplete_first_party_proprietary_only",
+        "incomplete_first_party_opensource_only",
         "incomplete_third_party_only",
+        "incomplete_third_party_proprietary_only",
+        "incomplete_third_party_opensource_only",
         "unknown",
         "not_specified"
       ]

schema/bom-1.5.xsd

@@ -2142,13 +2142,21 @@ limitations under the License.
                 </xs:complexType>
             </xs:element>
         </xs:sequence>
+        <xs:attribute name="bom-ref" type="bom:refType">
+            <xs:annotation>
+                <xs:documentation>
+                    An optional identifier which can be used to reference the composition elsewhere in the BOM.
+                    Uniqueness is enforced within all elements and children of the root-level bom element.
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
     </xs:complexType>
 
     <xs:simpleType name="aggregateType">
         <xs:restriction base="xs:string">
             <xs:enumeration value="complete">
                 <xs:annotation>
-                    <xs:documentation>The relationship is complete. No further relationships including constituent components, services, or dependencies exist.</xs:documentation>
+                    <xs:documentation>The relationship is complete. No further relationships including constituent components, services, or dependencies are known to exist.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
             <xs:enumeration value="incomplete">
@@ -2161,11 +2169,31 @@ limitations under the License.
                     <xs:documentation>The relationship is incomplete. Only relationships for first-party components, services, or their dependencies are represented.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
+            <xs:enumeration value="incomplete_first_party_proprietary_only">
+                <xs:annotation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="incomplete_first_party_opensource_only">
+                <xs:annotation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
             <xs:enumeration value="incomplete_third_party_only">
                 <xs:annotation>
                     <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented.</xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
+            <xs:enumeration value="incomplete_third_party_proprietary_only">
+                <xs:annotation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are proprietary.</xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
+            <xs:enumeration value="incomplete_third_party_opensource_only">
+                <xs:annotation>
+                    <xs:documentation>The relationship is incomplete. Only relationships for third-party components, services, or their dependencies are represented, limited specifically to those that are opensource.</xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
             <xs:enumeration value="unknown">
                 <xs:annotation>
                     <xs:documentation>The relationship may be complete or incomplete. This usually signifies a 'best-effort' to obtain constituent components, services, or dependencies but the completeness is inconclusive.</xs:documentation>

tools/src/test/resources/1.5/valid-compositions-1.5.json

@@ -46,6 +46,7 @@
   ],
   "compositions": [
     {
+      "bom-ref": "composition-1",
       "aggregate": "complete",
       "assemblies": [
         "pkg:maven/partner/[email protected]"
@@ -55,6 +56,7 @@
       ]
     },
     {
+      "bom-ref": "composition-2",
       "aggregate": "unknown",
       "assemblies": [
         "pkg:maven/acme/[email protected]"

tools/src/test/resources/1.5/valid-compositions-1.5.textproto

@@ -39,11 +39,13 @@ dependencies {
   }
 }
 compositions {
+  bom_ref: "composition-1"
   aggregate: AGGREGATE_COMPLETE
   assemblies: "pkg:maven/partner/[email protected]"
   dependencies: "acme-application-1.0"
 }
 compositions {
+  bom_ref: "composition-1"
   aggregate: AGGREGATE_UNKNOWN
   assemblies: "pkg:maven/acme/[email protected]"
 }

tools/src/test/resources/1.5/valid-compositions-1.5.xml

@@ -32,7 +32,7 @@
         </dependency>
     </dependencies>
     <compositions>
-        <composition>
+        <composition bom-ref="composition-1">
             <aggregate>complete</aggregate>
             <assemblies>
                 <assembly ref="pkg:maven/partner/[email protected]"/>
@@ -41,7 +41,7 @@
                 <dependency ref="acme-application-1.0"/>
             </dependencies>
         </composition>
-        <composition>
+        <composition bom-ref="composition-2">
             <aggregate>unknown</aggregate>
             <assemblies>
                 <assembly ref="pkg:maven/acme/[email protected]"/>